Threats to Terminal Services

When Terminal Services is installed on a Windows 2000 server, it allows remote computers to connect to the terminal server and launch a remote Windows desktop. When Terminal Services is installed, nonauthorized users can attempt to connect to the terminal server. If not configured for security, Terminal Services on a Windows 2000 server is a security threat. For example, when Terminal Services is installed on a Windows 2000 server, the following vulnerabilities exist:

Terminal Services users might be connecting with excess permissions.
Firewall security might be bypassed by Internet clients.
Terminal Services uses a well-known port.
Terminal Services requires the Log On Locally user right.
Attackers are provided a full Windows desktop.

Grants Excess Permissions for Users

If Terminal Services is installed with the Permissions Compatible With Terminal Server 4.0 Users, all users will connect with excess permissions. The excess permissions provide all terminal server clients with full access to critical registry locations and file locations on the disk.

When users connect to a terminal server, they are automatically made members of the Terminal Server Users group and will receive all permissions assigned to the Terminal Server Users group. Rather than being assigned individual permissions, Terminal Services users are all assigned the same permissions based upon their membership in the Terminal Server Users group.

Allows Bypass of Firewall Security

If a firewall allows remote clients to connect to a terminal server, the firewall cannot apply additional filters to the protocols and applications running within the Terminal Services session. Even if the firewall applies specific filters for example, by preventing the use of FTP through the firewall the Terminal Services client can run an FTP client and transfer data on the network by using the FTP protocol.

The firewall will only allow connections to the terminal server s Transmission Control Protocol (TCP) port 3389. The actual data stream is initiated at the terminal server, not from the terminal server client. The only information transmitted between the terminal server client and the terminal server is mouse input, keyboard input, and display information. Depending on the level of encryption employed, this information is encrypted as it passes through the firewall.

Uses a Well-Known Port

By default, all connections to a terminal server connect to TCP port 3389 on the terminal server. Attackers can perform port scans that determine whether TCP port 3389 is open on a target server. No other ports are used in the connection to the terminal server, making it more difficult to detect a port scan against this single port.

Requires the Log On Locally User Right

To connect to a Windows 2000 terminal server, the user or group that contains the user s account must be assigned the Log On Locally user right. This user right applies to Terminal Services connections and physical connections at the computer hosting Terminal Services. The user right does not differentiate between a Terminal Services connection and a local logon at the terminal server.

Provides an Attacker with a Full Windows Desktop

Terminal Services is the most functional remote connectivity solution. By default, when you connect to a terminal server, you gain total access to the remote terminal server s desktop. This includes all text-based and graphical applications installed on the terminal server, subject to the permissions assigned to the applications.